Topics

Communicating and Storing Data Securely

Communications and Sharing Data

To make the best decisions for your parliament about how to communicate, it is essential to understand the different types of protection that our communications can have, and why such protection is important. One of the most important elements of communications security relates to keeping private communications private - which in the modern era is largely taken care of by encryption. Without proper encryption, internal parliamentary communications could be seen by any number of adversaries. Insecure communications can expose sensitive or embarrassing information and messages, reveal passwords or other private data, and possibly put your members or staff at risk depending upon the nature of your communications and content that you share.

As a parliament, it is also important to ensure that members and staff’s official governmental communications comply with all relevant open government obligations (such as freedom of information requests) and data security commitments. Therefore, when designing and implementing secure communications systems and policies across parliament, be sure to keep these factors in mind so that relevant messages can both be properly secured and, when necessary under law, preserved.

Secure Communications and Parliaments

Image of political protestors in Belarus

There have been many incidents in recent years in which the communications systems of parliaments and accounts of MPs and their staff have been compromised, leading to disruption in parliamentary operations and in some cases the theft of sensitive communications. In July 2021, for instance, Polish authorities announced that the email accounts of nearly a dozen local MPs were hacked, including a personal account of the prime minister’s top aide and accounts of members from almost every parliamentary opposition grouping. This report came just months after similar news came to light about a cyberattack against the information and communication systems of the Finnish parliament. Authorities in Finland described that attack as “aggravated espionage and message interception” aimed at its parliament.

What is encryption and why is it important?

Encryption is a mathematical process used to scramble a message or a file so that only a person or entity with the key can “decrypt” it and read it. Without any encryption in place, our messages are left open to being read by potential adversaries, including unfriendly foreign governments, or hackers on the web. Such encryption is important not just for internal parliamentary communications but also for external communications in which privacy and integrity need to be protected. The Electronic Frontier Foundation’s Surveillance Self-Defense Guide provides a practical explanation, with graphics, of what encryption means:

Unencrypted Messaging

Image of no encryption being used for a message in transit

As you can see in the image above, a smartphone sends a green, unencrypted text message (“hello”) to another smartphone on the far right. Along the way, a cellphone tower (or in the case of something sent over the internet, your internet service provider, known as an ISP) passes the message along to company servers. From there it hops through the network to another cellphone tower, which can see the unencrypted “hello” message, and is finally then routed to the destination. It is important to note that without any encryption, everyone involved in relaying the message, and anyone who can sneak a peek as it goes by can read its content. This might not matter much if all you are saying is “hello,” but it could be a big deal if you are communicating something more private or sensitive that you do not want your telecom, ISP, an unfriendly government, or any other adversary to see. Because of this, it is essential to avoid using unencrypted tools to send any sensitive messages (and ideally any messages at all.) Keep in mind that some of the most popular communication methods - such as SMS and phone calls - practically operate without any encryption (like in the image above).

There are two ways to encrypt data as it moves: transport-layer encryption and end-to-end encryption. The type of encryption a service provider supports is important to know as your parliament makes choices to adopt more secure communications practices and systems. Such differences are described well by the Surveillance Self-Defense guide, which is adapted again here:

Transport-layer encryption, also known as transport layer security (TLS), protects messages as they travel from your device to the messaging app/service’s servers and from there to your recipient’s device. This protects them from the prying eyes of hackers sitting on your network or your internet or telecommunications service providers. However, in the middle your messaging/email service provider, the website you are browsing, or the app you are using can see unencrypted copies of your messages. Because your messages can be seen by and are often stored on company servers, they may be vulnerable to law enforcement requests or theft if the company’s servers are compromised.

Transport-layer Encryption 

Image of transport layer encryption being used for a message

The image above shows an example of transport-layer encryption. On the left, a smartphone sends a green, unencrypted message: “Hello.” That message is encrypted and then passed along to a cellphone tower. In the middle, the company servers are able to decrypt the message, read the contents, decide where to send it, re-encrypt it, and send it along to the next cellphone tower towards its destination. At the end, the other smartphone receives the encrypted message, and decrypts it to read “Hello.”

End-to-end encryption protects messages in transit all the way from sender to receiver. It ensures that information is turned into a secret message by its original sender (the first “end”) and decoded only by its final recipient (the second “end”). No one, including the app or service you are using, can “listen in” and eavesdrop on your activity.

End-to-End Encryption

Image of end-to-end encryption being used for a message

The image above shows an example of end-to-end encryption. On the left, a smartphone sends a green, unencrypted message: “Hello.” That message is encrypted, and then passed along to a cellphone tower and then to the app/service’s servers, which cannot read the contents, but will pass the secret message along to its destination. At the end, the other smartphone receives the encrypted message, and decrypts it to read “Hello.” Unlike transport-layer encryption, your ISP or messaging host is not able to decrypt the message. Only the endpoints (the original devices sending and receiving encrypted messages) have the keys to decrypt and read the message.

What type of encryption do we need?

When deciding whether your parliament needs transport-layer encryption or end-to-end encryption for your communications (or some combination of the two for different systems and activities), the big questions you should ask involve trust. For instance, do you trust the app or service you are using? Do you trust its technical infrastructure? Are you concerned about the possibility that an unfriendly foreign government could force the company to hand over your messages – and if so, do you trust the company's policies to protect against foreign law enforcement requests?

If you answer “no” to any of these questions, then you need end-to-end encryption. If you answer “yes” to them, then a service that supports only transport-layer encryption may suffice - but it is generally better to go with services that support end-to-end encryption when possible.

Another set of questions to consider is whether you as a parliament are required by law to maintain sole access to any parliamentary communications, whether there are any data localization requirements in your country, and/or if certain communications need to be preserved (e.g. not permanently deleted by staff) in order to comply with open government laws and commitments. If so, you might consider an end-to-end encryption-enabled enterprise-grade communications system in which you, as a parliament, are able to control the encryption keys yourself. Such systems (which will be discussed in more detail in the Storing Data Securely section of the Handbook) can be powerful, but do require advanced technical skills to implement.

Also, when messaging with groups, keep in mind that the security of your messages is only as good as the security of everyone receiving the messages. In addition to carefully choosing secure apps and systems, it is important that everyone in the group follows other best practices regarding account security and device security. All it takes is one bad actor or one infected device to leak the contents of an entire group chat or call.

What should we do about email?

In general, email is not the best option when it comes to security. Even the best end-to-end encrypted email options typically leave something to be desired from a security perspective, for example, not encrypting subject lines of emails and not protecting metadata (an important concept which will be described below). If you need to communicate highly sensitive information that does not need to be retained for the public record, keep in mind that email (both the parliament’s system and especially someone’s personal account) is best avoided in favor of secure messaging options (which will be highlighted in the next section).

However, as a parliament, you may still want or need for members and staff to communicate sensitive or private content through a system that is centrally managed as part of their day-to-day operations. A parliament-wide email system, with proper account controls of course, can be useful here. If, according to your analysis above, transport-layer encryption will suffice, then standard business offerings from email providers such as Google Workspace (Gmail) and Microsoft 365 (Outlook) could be solid options for your parliament. However if you are worried that your email provider could be legally required to provide information about your communications to a foreign government or another adversary, or if local data residency requirements may be a concern, you will want to consider using an end-to-end encrypted email option. A few such options include adding your own encryption key management to Google Workspace or Microsoft 365 (as described in the Storing Data Securely section of this Handbook), or adopting end-to-end encrypted email services designed for large organizations such as ProtonMail Business or Tutanota Business.

What end-to-end encrypted messaging tools should we use (as of 2022)?

If you need to use end-to-end encryption, or just want to adopt the best practice regardless of your parliament’s threat context, here are some trusted examples of services that, as of 2022, offer end-to-end encrypted messaging and calls. This section of the Handbook will be regularly updated online, but please note that things change quickly in the world of secure messaging, so these recommendations may not be up to date at the time you are reading this section. Keep in mind that your communications are only as secure as your device itself. So in addition to adopting secure messaging practices, it is essential to implement the best practices described in the Secure Devices section of this Handbook.

Text messaging (individual or group)
  • Signal
  • WhatsApp (only with specific setting configurations detailed below)
Audio and Video calls:
  • Signal (up to 40 people)
  • WhatsApp (up to 32 people on audio, eight on video)
File sharing:
  • Signal
  • Keybase / Keybase Teams
  • Tresorit

What is metadata and should we be concerned about it?

Who you and your staff, members, and teams talk to and when and where you talk to them can often be just as sensitive as what you talk about. It is important to remember that end-to-end encryption only protects the contents (the “what”) of your communications. This is where metadata comes into play. EFF’s Surveillance Self-Defense Guide provides an overview of metadata and why it matters (including an illustration of what metadata looks like):

Metadata description

Metadata is often described as everything except the content of your communications. You can think of metadata as the digital equivalent of an envelope. Just like an envelope contains information about the sender, receiver, and destination of a message, so does metadata. Metadata is information about the digital communications you send and receive. Some examples of metadata include:

  • who you are communicating with
  • the subject line of your emails
  • the length of your conversations
  • the time at which a conversation took place
  • your location when communicating

While transparency of applicable parliamentary operations is essential, limiting unauthorized access to metadata (in addition to protecting the content of communications) is important as well. After all, metadata can reveal sensitive information to hackers, foreign governments, companies, or others whom you might not want to have access. A couple examples of how revealing metadata can be include:

  • They know an MP or staffer called a journalist and spoke with them for an hour before that journalist published a story with an anonymous quote. However, they do not know what you talked about.
  • They know you got an email from a COVID testing service, then called your doctor, then visited the World Health Organization’s website in the same hour. However, they do not know what was in the email or what you talked about on the phone.

Metadata is not protected by the encryption provided by most message services. If you are sending a message on WhatsApp, for example, keep in mind that while the contents of your message are end-to-end encrypted, it is still possible for others to know who you are messaging, how frequently, and, with phone calls, for how long. As a result, you should keep in mind what risks exist (if any) if certain adversaries are able to find out who you talk to, when you talked to them, and (in the case of email) the general subject lines of your parliament’s communications.

One of the reasons that Signal is so highly recommended is that, in addition to providing end-to-end encryption, it has introduced features and made commitments to reduce the amount of metadata that it records and stores. For instance, Signal’s Sealed Sender feature encrypts the metadata about who is talking to whom, so that Signal only knows the recipient of a message but not the sender. By default, this feature only works when communicating with existing contacts or profiles (people) with whom you have already communicated or whom you have stored in your contacts list. However, you can enable this “Sealed Sender” setting to “Allow from anyone” if it is important for you to eliminate such metadata across all Signal conversations, even those with people unknown to you. This may not be critical for the majority of parliamentary communications, but it is important to be aware of the risks posed by metadata and to select appropriate communication tools and policies accordingly.

Can we really trust WhatsApp?

WhatsApp is a popular choice for secure messaging, and can be a good option given its ubiquity. Some people are concerned that it is owned and controlled by Facebook, which has been working to integrate it with its other systems. People are also concerned about the amount of metadata (i.e., information about with whom you communicate and when) that WhatsApp collects. If you choose to use WhatsApp as a secure messaging option, be sure to read the above section on metadata. There are also a few settings that you need to ensure are properly configured. Most critically, be sure to turn off cloud backups or, at the very least, enable WhatsApp’s new end-to-end encrypted backups feature using a 64 digit encryption key or long, random, and unique passcode saved in a secure place (like your password manager). Also be sure to show security notifications and verify security codes. You can find simple how-to guides for configuring these settings for Android phones here and iPhones here. If your staff *and those with whom you all communicate* do not properly configure these options, then you should not consider WhatsApp to be a good option for sensitive communications that require end-to-end encryption. Signal still remains the best option for such end-to-end encrypted messaging needs given its secure default settings and protection of metadata.

What about texting?

Basic text messages are highly insecure (standard SMS is effectively unencrypted), and should be avoided for anything that is not meant for public knowledge. While Apple’s iPhone-to-iPhone messages (known as iMessages) are end-to-end encrypted, if a non-iPhone is in the conversation, the messages are not secured. It is best to be safe and avoid text messages for anything remotely sensitive, private, or confidential.

Why aren’t Telegram, Facebook Messenger, or Viber recommended for secure chats?

Some services, like Facebook Messenger and Telegram, only offer end-to-end encryption if you deliberately turn it on (and only for one-to-one chats), so they are not good options for sensitive or private messaging, especially for teams. Do not rely on these tools if you need to use end-to-end encryption, because it is quite easy to forget to change away from the default, less secure settings. Viber claims to offer end-to-end encryption, but has not made its code available for review to outside security researchers. Telegram’s code has also not been made available for a public audit. As a result, many experts fear that Viber’s encryption (or Telegram’s “secret chats”) may be substandard and therefore not suitable for communications that require true end-to-end encryption.

Our parliamentary colleagues and constituents are using other messaging apps - how can we convince them to download a new app to communicate with us?

Sometimes there is a tradeoff between security and convenience, but a little extra effort is worth it for sensitive communications. Set a good example for your contacts - whether they be in other government agencies, institutions, across parliament or external constituents. If you have to use other less secure systems, be very conscious of what you are saying. Avoid discussion of sensitive topics. Some parliaments may have different protocols for general chatting or public facing communications compared to confidential discussions with leadership, for example. Classify your parliamentary communications (internal and external) based upon sensitivity and be sure members and staff are using appropriate communication mechanisms accordingly! Of course, it is simplest if everything is just automatically encrypted all the time - nothing to remember or think about.

Luckily, end-to-end encrypted apps like Signal are becoming increasingly popular and user-friendly - not to mention that they have been localized in dozens of languages for global use. If your partners or other contacts need help switching communications over to an end-to-end encrypted option like Signal, take some time to talk them through why it is so important to properly protect your communications. When everyone understands the importance, the few minutes required to download a new app and the couple of days it might take to get used to using it will not seem like a big deal.

Are there other settings for end-to-end encrypted apps that we should be aware of?

In the Signal app, verifying security codes (which they refer to as Safety Numbers) is also important. To view a safety number and verify it in Signal, you can open up your chat with a contact, tap their name at the top of your screen, and scroll down to tap “View Safety Number.” If your safety number matches with your contact, you can mark them as “verified” from that same screen. It is especially important to pay attention to these safety numbers and to verify your contacts if you receive a notification in a chat that your safety number with a given contact has changed. If you or other staff need help configuring these settings, Signal itself provides helpful instructions.

If using Signal, which is widely considered to be the best user-friendly option for secure messaging and one-to-one calls, be sure to set a strong pin. Use at least six digits, and not something easy-to-guess like your birth date. 

For more tips on how to properly configure Signal and WhatsApp, you can check out the tool guides for both developed by EFF in their Surveillance Self-Defense Guide.

What about larger group video calls? Are there end-to-end encrypted options?

With the increase in remote work, it is important to have a secure option for your office’s large group video calls or virtual town halls for MPs. Unfortunately, no great options currently exist that check all the boxes: user-friendly, support large numbers of attendees and collaboration features, and enable end-to-end encryption by default.

The specific needs of plenary sessions and committee meetings will be discussed later in this Handbook, but for your other more general meetings that do not require advanced collaboration features like breakout rooms, Signal is highly recommended. Group video calls on Signal can be joined by up to 40 participants either from a smartphone or the Signal desktop app on a computer, which allows for screen sharing. Keep in mind, however, that only your contacts who already use Signal can be added to a Signal group.

If you are looking for other options, one platform that recently added an end-to-end encrypted option is Jitsi Meet. Jitsi Meet is a web-based audio and video conferencing solution that can work for large audiences (up to 100 people) and requires no app download or special software. Note that if you use this feature with large groups (more than 15-20 people) the call quality may decrease. To set up a meeting on Jitsi Meet, you can go to meet.jit.si, type in a meeting code and share that link (via a secure channel such as Signal) with your desired participants. To use end-to-end encryption, take a look at these instructions outlined by Jitsi. Note that all individual users will need to enable end-to-end encryption themselves in order for it to work. When using Jitsi, be sure to create random meeting room names and use strong passcodes to protect your calls.

If this option does not work for your teams, you can consider using a popular commercial option like Webex or Zoom with end-to-end encryption enabled. Webex has long allowed for end-to-end encryption; however, this option is not turned on by default and requires participants to download Webex to join your meeting. To get the end-to-end encrypted option for your Webex account you must open a Webex support case and follow these instructions to ensure end-to-end encryption is configured. Only the host of the meeting needs to enable end-to-end encryption. If they do so, the entire meeting will be end-to-end encrypted. If using Webex for secure group meetings and workshops, be sure to also enable strong passcodes on your calls.

After months of negative press, Zoom developed an end-to-end encryption option for its calls. However, that option is not turned on by default, requires that the call host associate their account with a phone number, and only works if all participants join via the Zoom desktop or mobile app instead of dialing in. Because it is easy to accidentally misconfigure these settings, it is not ideal to rely on Zoom as an end-to-end encrypted option. However, if end-to-end encryption is required and Zoom is your only option, you can follow Zoom’s instructions to configure it. Just be sure to check any call before it starts to ensure it is indeed end-to-end encrypted by clicking the green lock in the upper left-hand corner of the Zoom screen and seeing “end-to-end” listed next to the encryption setting. You should also set a strong passcode for any Zoom meeting.

It is worth noting, however, that certain popular features of the above tools only work with transport-layer encryption. For example, turning on end-to-end encryption in Zoom disables breakout rooms, polling capabilities, and cloud recording. In Jitsi Meet, breakout rooms can disable the end-to-end encryption feature, leading to an unwitting decrease in security.

What if we really do not need end-to-end encryption for all our communications?

If end-to-end encryption is not needed for all of your parliament’s communications based upon your risk assessment, you can consider using applications protected by transport-layer encryption. Remember, this type of encryption requires that you trust the service provider, such as Google for Gmail, Microsoft for Outlook/Exchange, or Facebook for Messenger, because they (and anyone they might be compelled to share information with) can see/hear your communications. Once again, the best options will depend upon your threat model (for example, if you do not trust Google or if the U.S. government is your adversary, then Gmail is not a good option), but a few popular and generally trusted options include:

 

Email
  • Gmail (via Google Workspace)
  • Outlook (via Office 365)
    • Do not host your own Microsoft Exchange server for your parliament's email. If you are currently doing so, you should migrate to Office 365.
Text messaging (individual or group)
  • Google Hangouts
  • Slack
  • Microsoft Teams
  • Mattermost
  • Line
  • KaKao Talk
  • Telegram
Group conferencing, audio and video calls
  • Jitsi Meet
  • Google Meet
  • Microsoft Teams
  • Webex
  • GotoMeeting
  • Zoom
File sharing:
  • Google Drive
  • Microsoft Sharepoint
  • Dropbox
  • Slack
  • Microsoft Teams

A note about file sharing

In addition to securely sharing messages, sharing files safely is likely an important part of your parliament’s security plan. Most file-sharing options are built-in to messaging applications or services that you might already be using. For instance, sharing files via Signal is a great option if end-to-end encryption is needed. If transport-layer encryption is enough, using Google Drive or Microsoft SharePoint might be a good option for your parliament. Just be sure to configure sharing settings properly so that only the appropriate people have access to a given document or folder, and ensure that these services are connected to staff’s organizational (not personal) email accounts. If you can, prohibit sharing sensitive files via email attachments or physically with USBs. Using devices like USBs within your parliament greatly increases the likelihood of malware or theft and relying on email or other forms of attachments weakens your parliament’s defenses against phishing attacks.

Communicating Data Securely

  • Classify communications based upon their sensitivity.
    • Determine the appropriate systems and tools for communication accordingly.
    • Set a policy on how long you will retain messages accordingly, keeping in mind both security and commitments to parliamentary transparency.
  • Require the use of trusted end-to-end encrypted messaging services for your parliament’s sensitive communications.
    • Take time to explain to staff and external partners why secure communications are so important; this will enhance the success of your plan.
  • Ensure proper settings are in place for secure communications apps, including:
    • Ensure all staff are paying attention to security notifications and, if using WhatsApp, not backing up chats.
    • If using an app where end-to-end encryption is not enabled by default (e.g., Zoom or Webex), ensure the required users have turned on the proper settings at the outset of any call or meeting.
  • Do not attempt to host your own email server - use cloud-based email services such as Office 365 or Gmail Workspace as alternatives.
    • Do not allow staff to use personal email accounts for work.
  • Frequently remind staff and members about security best practices related to group messaging and metadata.
    • Be aware of who is included in group messages, chats, and email threads.